Security
Your records carry legal weight. We build accordingly.
Incident logs go to licensing boards. Audit trails go to the ICO. Data exports get filed with subject access requests. These aren't routine outputs - they're legal documents. Holocron is built to produce records that hold up.
Encryption
AES-256 at rest. TLS 1.2+ in transit.
All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. No plaintext data is stored or transmitted at any point in the pipeline. This is not a configuration option - it is the baseline, with no ability to disable it.
Access Controls
Role-based, auditable, immutable.
Three permission levels - Owner, Manager, and Staff - enforce strict data boundaries across every API request and UI interaction. Every action carries a timestamp and user attribution. Audit logs are write-once and immutable: no user, administrator, or API call can modify or delete them. This is a deliberate architectural decision, not a default setting.
UK Regulatory Compliance
GDPR, DPA 2018, and ICO registered.
SoundIn Limited is registered with the Information Commissioner's Office and operates in full compliance with the UK Data Protection Act 2018 and UK GDPR. A Data Processing Agreement is available on request for all paid accounts. Incident logs, audit trails, and session records are structured specifically to satisfy UK licensing authority requirements - because these records carry legal weight, and the platform treats them accordingly.
Infrastructure
Your venue's data - incidents, attendance, audit trails - lives in its own isolated database schema. Not filtered by a row flag. Not shared with other customers. Architecturally separated at the data layer.
Security enquiries, ICO-related questions, Data Processing Agreement requests, or anything else that touches our compliance obligations - contact us directly. We will respond with the same rigour we apply to the platform itself.